neildarlow

What is it for? Just for installer?

@k07n: Yes. If you set your permissions correctly on the webserver, apply the HTTP_MOD_REWRITE parameter and copy htaccess.txt to .htaccess then the only warning you receive from the installer is that it can't determine the server software version but it may be possible to continue (which it is!). I should also add that I didn't include: fastcgi_intercept_errors on; in my server configuration block. I have this in my NGiNX http block as a global switch.

@netcarver: Thank you for the kind words. I may not post frequently but I try to make what I write useful to others.

Regards,
Neil Darlow

Hi,

This is a complete server configuration block for NGiNX communicating with php-fpm.

There are a few things that will require customisation:

• server_name
• root
• access_log and error_log
• fastcgi_pass - socket or TCP specification
• configuration blocks relating to 40x and 50x error handling

Note the use of fastcgi_param HTTP_MOD_REWRITE On; which quiets an installer error about requiring mod_rewrite. You might also want to copy htaccess.txt to .htaccess in the ProcessWire top-level directory.

    server {
	    listen	    80 default_server;
	    server_name   localhost localhost.localdomain;
	    index		 index.php index.html;
	    root		  /var/www/html;
	    access_log    /var/log/nginx/access.log  main;
	    error_log	 /var/log/nginx/error.log  notice;
	    default_type  application/x-php;

	    ### SECURITY - Protect crucial files
	    location ~ /\. {
		    deny  all;
	    }
	    location ~ /(COPYRIGHT|LICENSE|README|htaccess)\.txt {
		    deny  all;
	    }
	    location ~ ^/site(-[^/]+)?/assets/(.*\.php|backups|cache|config|install|logs|sessions) {
		    deny  all;
	    }
	    location ~ ^/site(-[^/]+)?/install {
		    deny  all;
	    }
	    location ~ ^/(site(-[^/]+)?|wire)/(config(-dev)?|index\.config)\.php {
		    deny  all;
	    }
	    location ~ ^/((site(-[^/]+)?|wire)/modules|wire/core)/.*\.(inc|module|php|tpl) {
		    deny  all;
	    }
	    location ~ ^/(site(-[^/]+)?|wire)/templates(-admin)?/.*\.(inc|html?|php|tpl) {
		    deny  all;
	    }

	    ### GLOBAL REWRITE
	    location / {
		    try_files  $uri  $uri/  /index.php?it=$uri&$args;
	    }

	    # pass the PHP scripts to FastCGI server on local socket
	    #
	    location ~ .+\.php((/|\?).*)?$ {
		    fastcgi_pass					 unix:/run/php-fpm/php-fpm.sock;
		    fastcgi_index				    index.php;
		    fastcgi_split_path_info		  ^(.+\.php)(.*)$;
		    fastcgi_param  SCRIPT_FILENAME   $document_root$fastcgi_script_name;
		    fastcgi_param  PATH_INFO		 $fastcgi_path_info;
		    fastcgi_param  HTTP_MOD_REWRITE  On;
		    include  fastcgi_params;
	    }
	    # redirect server error pages to the static page /40x.html
	    #
	    error_page  404  /404.html;
	    location = /40x.html {
		    root  /usr/share/nginx/html;
	    }
	    # redirect server error pages to the static page /50x.html
	    #
	    error_page   500 502 503 504  /50x.html;
	    location = /50x.html {
		    root  /usr/share/nginx/html;
	    }
    }

In the php-fpm configuration you need to specify unix socket or TCP connection parameters and possibly the chdir setting. These are distribution-dependent values and you will need to determine the correct values for your scenario.

My configuration is as follows:

; The address on which to accept FastCGI requests.
; Valid syntaxes are:
;   'ip.add.re.ss:port'    - to listen on a TCP socket to a specific address on
;						    a specific port;
;   'port'				 - to listen on a TCP socket to all addresses on a
;						    specific port;
;   '/path/to/unix/socket' - to listen on a unix socket.
; Note: This value is mandatory.
;listen = 127.0.0.1:9000
listen = /run/php-fpm/php-fpm.sock

; Set permissions for unix socket, if one is used. In Linux, read/write
; permissions must be set in order to allow connections from a web server. Many
; BSD-derived systems allow connections regardless of permissions.
; Default Values: user and group are set as the running user
;				 mode is set to 0666
listen.owner = nginx
listen.group = nginx
listen.mode = 0660

; Chdir to this directory at the start. This value must be an absolute path.
; Default Value: current directory or / when chroot
chdir = /var/www/html

Please note that I researched these configurations and the preceeding security configuration from original documentation. I did not rely on howtos available on the Internet. Each has been carefully implemented and undergone significant testing before going into production.

Regards,
Neil Darlow

Hi,

I use ProcessWire under NGiNX on both FreeBSD for production and Fedora for development. My security configuration is as follows:

	    ### SECURITY - Protect crucial files
	    location ~ /\. {
		    deny  all;
	    }
	    location ~ /(COPYRIGHT|LICENSE|README|htaccess)\.txt {
		    deny  all;
	    }
	    location ~ ^/site(-[^/]+)?/assets/(.*\.php|backups|cache|config|install|logs|sessions) {
		    deny  all;
	    }
	    location ~ ^/site(-[^/]+)?/install {
		    deny  all;
	    }
	    location ~ ^/(site(-[^/]+)?|wire)/(config(-dev)?|index\.config)\.php {
		    deny  all;
	    }
	    location ~ ^/((site(-[^/]+)?|wire)/modules|wire/core)/.*\.(inc|module|php|tpl) {
		    deny  all;
	    }
	    location ~ ^/(site(-[^/]+)?|wire)/templates(-admin)?/.*\.(inc|html?|php|tpl) {
		    deny  all;
	    }

I can share rewriting and php-fpm configuration also if required.

Regards,
Neil Darlow